woodsat_private (Greg A. Woods) wrote: > From an SMTP point of view the headers are part of the body. The > savings over filtering just the headers, vs. filtering up to at least > the the second MIME part in this case, is virtually nonexistant on any > kind of modern hardware. Indeed... > (BTW, I seriously doubt any of the so-called experts who have been > commenting on the relative impact this worm compared to others before it > -- so far it's by and far the worst I've ever seen, either in my own > inbox, or in the way it's affected mail servers, particularly at ISPs. The magnitude of the ISP effect is probably due to two things... First, as Greg mentioned, the virus's size is above most previous (and all "successful??) mass mailers. The virus itself is approx 135KB then it concatenates a DOC, XLS, ZIP (or JPG (?) found in the "My Documents" directory) to itself. The smallest field sample I've seen so far is just over 200KB. Second, most corporate sites are relatively unaffected by this. The smart ones have (eventually) resorted to whitelist attachment file-type filtering and many of the rest have been lucky enough that their scanner has not needed updating to scan .LNK files... This means that the bulk of the effect will be borne by ISPs *and* they tend to use "store and forward" (POP) or straight store (IMAP) mail systems for their clientele. Their clientele may also tend to be more lax about checking/clearing their Email *and* its probably a fair bet that the "dead-account" ratio is much higher on your typical ISP/free Email service provider than your typical corporate network. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 09:04:44 PDT